| Titel | Online Flight Booking Management System review_search.php has SQLinject. |
|---|
| Beschreibung | line: 9:
$txtsearch=$_POST['txtsearch'];
line: 172-186:
The POST parameter txtsearch is received and assigned to $txtsearch
<?php
$event_query = $conn->query("select * from sub_event where event_name like '%$txtsearch%'") or die(mysql_error());
$menum_row = $event_query->rowcount();
if( $menum_row > 0){ ?>
<h3>Sub Events</h3>
<?php
while ($event_row = $event_query->fetch())
{
$search_mainevent_id=$event_row['mainevent_id'];
$search_subevent_id=$event_row['subevent_id'];
?>
Because the string entered by the user is not filtered and the sql statements are spliced, the sql injection vulnerability is generated. It can cause serious harm to the system.
|
|---|
| Quelle | ⚠️ https://github.com/qyhmsys/cve-list/blob/master/Online%20Flight%20Booking%20Management%20System%20review_search.md |
|---|
| Benutzer | wei.zhang (UID 38856) |
|---|
| Einreichung | 13.01.2023 07:47 (vor 3 Jahren) |
|---|
| Moderieren | 13.01.2023 10:20 (3 hours later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 218277 [SourceCodester Online Flight Booking Management System POST Parameter review_search.php txtsearch SQL Injection] |
|---|
| Punkte | 20 |
|---|